In mid January 2020, one of the largest hotel conglomerates in the world experienced a massive data breach. Over 5.2 million guests had their telephone numbers, email addresses, login credentials, loyalty numbers, names, birthdays, and language preferences accessed. The hotel did not notice the breach until late February when a third-party firm alerted them to the potential issue with one of their hotel chains. Currently it is too early to know how the hackers obtained the login credentials, but the company has since invalidated the data by resetting passwords and asking members to complete a two factor authentication.
Data breaches in the hospitality space are almost all too common. Chains need to start viewing data security as a budget priority. Costs of fines associated with the breach and damage to the brand will far outweigh the costs of staying ahead of the security curve. While the breach may have been unavoidable, an employee login accessing confidential information on over 5 million guests should be quickly viewed as anomalous activity. What the hotel did have in place was enough to confine the breach to a month, however a more acceptable time frame would be measured in days or hours.
Monitoring identities, employee education, and graphing trust relationships are all measures that can be taken to mitigate risk. Procuring services or products related to the above would go a long way to ensuring two employee login credentials would not be able to access such a high number of confidential records. Investing in security and creating a more developed security platform is no longer a luxury but a necessity. Companies should consider looking at security spend as un-budgeted to allow for value to be placed above price.
C-level executives need to shift the corporate mindset that customer data security is not a cost center but rather a revenue center. Security is not only for the protection of customer data, it is for strong brand retention and customer peace of mind. Having well built policies and procedures and staying on the cutting edge of data security goes a long way to ensure a positive customer experience. In the hospitality world positive customer experience is king and should not stop when the customer exits the property.
Thankfully the data breach was low risk and was able to be invalidated and mitigated relatively quickly. That being said an incredible undertaking will be required to regain brand security and undo the damage to the hotels reputation. This particular hospitality chain has a strong saving face recovery strategy but will face brand trust issues for years to come.
Read more about this breach on CNBC.